JP2003208404A - Granular authentication for network user session - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To access to a mobile user session by a method for making the access to a network resource be closely corresponded to the reliability of the authentication method and device relating to the mobile user session. <P>SOLUTION: The authentication bundle is created by generalizing the characteristics of an authentication method related to the mobile user session. The characteristics include a password, the biometric data, or the data related to a device used in performing the authentication method. The characteristics are generalized by various methods to create the non-binary sliding scale of the access to the network resource. The access to the proper network by the mobile user session can be permitted by accessing to the authentication bundle. The operation for permitting the access includes the creating operation of an authentication token transferred to a filter or a reverse proxy. When the certifying method related to the mobile user session is changed, the access to the network resource can e dynamically corrected. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD The present invention relates to network security. More particularly, the present invention provides a system, method for granting and dynamically modifying access to network resources, which allows access to correspond to the authenticity of authentication methods and devices associated with a user session. And computer program products.

[0002]

2. Description of the Related Art Today, it is extremely difficult, if not impossible, for network administrators to give mobile users reasonable access to network resources. Most conventional methods of granting access to network resources are binary. That is, either the user is "logged on" and can access network resources, or the user is "logged off" and cannot access the network. This binary approach has been adopted, despite the fact that different devices and different authentication methods will have different levels of trust.

For example, from a public telephone to a dual tone multi-frequency ("DTM
By entering the personal identification number (`` PIN '') of `` F ''),
The user can be granted access to the same network resource that entered the password directly on the coupled computer to the corporate intranet. Entering a password from a computer that is directly connected to the corporate intranet is easier than using a public telephone to DTMF
It can be considered safer than entering a PIN. However, both authentication methods give the same access to network resources. The dual approach is often problematic for mobile user sessions due to the wide variety of devices used in the mobile environment and their corresponding authentication schemes.

In some cases, the network administrator
It may implement secondary domains, secondary user accounts, and various other means in an attempt to give reasonable access to mobile users. For example,
Users can have local user accounts and mobile user accounts. Local user accounts are trusted computing devices (tru
It can be configured to only work on sted computing devices). This allows users to be assigned different access depending on their location. Thus, local user accounts can be given more access to network resources than mobile user accounts. However, this is still a dual approach, as any conventional access method grants the mobile user account the same access to network resources. For example, a mobile user calling from a payphone and logging on with a DTMF PIN, and a secure mobile phone calling a complex challenge response password.
Both mobile users carrying d) can receive the same access to network resources. In other words, no authentication method or device reliability is considered when granting mobile user accounts access to network resources. further,
This method requires additional efforts to establish and maintain mobile user accounts.

Another approach is to specify a particular mobile access method as trusted. For example, the network can be configured to allow mobile access from a user with a secure caller line ID or voiceprint. However, this approach also results in dual access to network resources and does not consider the reliability of the method or device associated with the mobile user session. For example, a mobile user undergoing voiceprint testing from a payphone or secure mobile phone can receive the same access, but with any untrusted access method (n
Mobile users requesting access via an on-trusted access method) are completely denied access to network resources. This approach is often overridden by environmental factors. For example, if a user has a local calling
roaming out of the (rea) may not be able to verify the security of the mobile phone, or the user may have a cold and cannot use the voiceprint. In such cases, access to network resources is denied, although the method and device requesting access may still be relatively reliable.

Considering the reliability of the device associated with a user session is especially important if an access method is predetermined to be secure. The mobile user can present a user ID and password during a request for access to network resources. In some cases, DTMF tones may facilitate the entry into these certificates. Traditional authentication methods may allow the same access to network resources whether these certificates are entered from a public phone or a secure mobile phone.
This may not allow reasonable access, as secure mobile phones can be considered more reliable than payphones.

[0007]

Accordingly, a system that permits or dynamically modifies access to network resources in such a way that the access corresponds to the authenticity of the authentication method and device associated with the user session. A method and computer program product are desired.

[0008]

SUMMARY OF THE INVENTION The principles of the present invention provide for granting and dynamic modification of a user session's access to network resources, the access being associated with the user session's authentication method and It becomes possible to correspond to the reliability of the device. The characteristics associated with the authentication method are aggregated to create an authentication bundle that can include information representative of access to network resources. The security module may receive the authentication bundle and may grant the user session access to the network resource it represents based on the authentication bundle.

A user session can attempt to authenticate to the network using one or more authentication methods. When an authentication attempt is made, a property representative of the authentication method can be detected. Such characteristics may include, for example, the type of device associated with the authentication attempt, such as a telephone, computer, mobile telephone, personal digital assistant (personal digital assistant), or handheld computer. The characteristics associated with the authentication method can also include the type of authentication, such as password or biometric authentication. Such characteristics may also include how the type of authentication was entered, for example, using a key on a telephone keypad, a key on a traditional keyboard, a verbal phrase, or a fingerprint, etc. . Other characteristics can also be detected, such as whether the device is a known device, whether the device is a secure device.

These properties can then be combined to facilitate the generation of an authentication bundle that represents a reasonable degree of access to network resources. Combining can include consideration of different characteristics of the authentication method associated with the user session. Access to network resources can be different or the same due to different combinations of characteristics.
For example, when a DTMF PIN is entered from a public telephone, access to network resources can be made less than in the case of voiceprint authentication. However, if the DTMF PIN is entered from a secure mobile phone, it can probably be given access to the same network resources as in voiceprint authentication. The degree of access to network resources allowed for different authentication methods is
It can be defined in advance. For example, an information technology department of a company may consider managing authentication methods by assigning different levels of access to different authentication methods.

The module has access to an authentication bundle that facilitates granting a user session a reasonable degree of access to network resources. The degree of access granted is determined by the information contained in the authentication bundle that represents it. In one example,
The module authorizes access by generating an authentication token that identifies the degree of access to network resources. Therefore, any user, depending on how and from what device they are authenticated
You can get a variety of different permissions. So, for example, if a user authenticates from a less secure device with a less secure authentication method, that user typically requests authentication from a more secure device using a more secure authentication method. Less access to network resources is allowed.

The module may also take into account whether the established user session has additionally implemented any authentication method and / or moved to a more secure device during the user session. it can. Thus, the module may dynamically grant additional access to the user session in some circumstances. Conversely, during a user session, if for some reason the previously successful authentication method fails, i.e., perhaps the user has moved to a less secure device, the module: Existing access for a user session can be dynamically revoked. Allowing and revoking access can be easily done by a reverse proxy or filter associated with the user session. If access is granted or revoked, the user associated with the user session can be notified.

By taking into account the characteristics of the authentication method, it is possible to grant a reasonable access to network resources to a user session in a non-binary manner. That is, there is a sliding scale from which access to network resources can be given. Access to network resources can vary based on characteristics that represent the authentication methods and devices available at any given time. Therefore, the user session can be granted access that more closely corresponds to the reliability of the authentication method and device associated with the user session.

Further features and advantages of the invention are set forth in the description below. Some of them will be apparent from the description or may be learned by practice of the invention. The features and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other features of the invention will be more fully apparent from the following description and the appended claims. Alternatively, it may be known by the embodiments of the invention described below.

To illustrate the manner in which these and other advantages and features of the present invention are obtained, a more detailed description of the invention, briefly set forth above, is set forth in the specific embodiments thereof illustrated in the accompanying drawings. Please refer to. The present invention will now be described with reference to the accompanying drawings, with the understanding that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. To describe and explain further specificity and details.

[0016]

DETAILED DESCRIPTION OF THE INVENTION The present invention is a system for granting and dynamically modifying access to network resources, which allows access to correspond to the authenticity of authentication methods and devices associated with user sessions. , Methods, and computer program products. A device can participate in a user session in which one or more authentication methods are used. The authentication method and device characteristics can be accessed to create an authentication bundle that includes information representative of access to network resources. When the authentication method associated with the user session changes,
Access to network resources of the user session can also be modified accordingly.

During operation, the characteristics of the authentication method and device associated with the user session can be accessed. An authentication bundle can be generated by combining the accessed characteristics. Since the authentication bundle is generated from the characteristics of the authentication method and device, it can contain data representing a reasonable degree of access to network resources. This represented data can be based on the authenticity of the authentication method and device. The access authorization module accesses the authentication bundle to allow the user session to be granted a reasonable degree of access to the network resources represented in the authentication bundle.

Embodiments of the invention may include a special purpose or general purpose computing device containing various computer hardware, as discussed in further detail below. Embodiments within the scope of the present invention also include computer-readable media for carrying or having computer-executable instructions or data structures stored therein. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media may be physical storage such as RAM, ROM, EPROM, CD-ROM, or other optical disk storage device, magnetic disk storage device, or other magnetic storage device. A medium, or any other medium that can be used to carry or store the desired program code means in the form of computer-executable instructions or data structures, and which can be accessed by a general purpose or special purpose computer. Can be prepared.

Information is a network or another communication connection
When transferred to or provided to a computer (either by wire, wireless, or a combination of wire and wireless), the computer naturally views the connection as a computer-readable medium. Thus, any such connection is properly termed a computer-readable medium. Combinations of the above should also be included within the scope of computer-readable media. Computer-executed instructions include, for example, instructions and data that cause a general purpose computer, special purpose computer, or special purpose processing device to perform a particular function or group of functions.

Embodiments of the present invention may also operate in a networked environment using logical communication links to one or more other computing devices, such as logical communication link 130 shown in FIG. it can. Computing devices include personal computers, mobile phones,
Personal digital assistant ("PDA"), server,
It can be a router, network PC, peer device, or other common network node. These computing devices may typically include a processing unit, system memory, a system bus coupling various system components including the processing unit to the system memory, and any of the physical storage media described above. The system bus can be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. System memory can include read only memory (ROM) and random access memory (RAM). A basic input / output system (BIOS), containing the basic routines that help to transfer information between elements within a computing device, such as during start-up, can be stored in ROM.

The logical communication links shown in FIG. 2 are shown by way of example and not limitation, local area networks (“LAN”) and / or wide area networks.
("WAN") part may be included. Such networking environments are commonplace in office-wide or enterprise-wide computer networks such as intranets and the Internet. When used in a LAN networking environment, the computing device can be connected to the local network through a network interface or adapter.

When used in a WAN networking environment, computing devices may include modems, wireless links,
Alternatively, it may include means for establishing communication over other wide area networks such as the Internet. The modem, which may be internal or external, may be connected to the system bus via the serial port interface. In a networked environment, program modules or portions thereof may be stored in remote memory storage. It will be appreciated that the network connections shown in FIG. 2 are exemplary and other means of establishing communications over a LAN or WAN may be used.

Those skilled in the art will appreciate that the present invention may be implemented in personal computers, handheld devices, multiprocessor systems,
In a network computing environment with many types of computer system configurations, including microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile phones, PDAs, pagers, and the like. It will be appreciated that it can be done. The invention may also be practiced in distributed computing environments where local and remote computing devices (both wired, wireless, or a combination of wired and wireless) linked together through a communications network perform tasks. You can In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

[0024] Figure 1 and the following description are intended to provide a brief, general description of a suitable computing environment in which the present invention may be implemented.
Although not necessarily so, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a computing device. Generally, program modules include routines, programs, objects, components, data structures, and the like that perform particular tasks or implement particular abstract data types. Computer-executable instructions, associated data structures, and program modules represent examples of the program code means for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represent examples of corresponding acts for implementing the functions described in such steps.

Referring to FIG. 1, an operating environment suitable for the principles of the present invention includes a general purpose computing device in the form of a telephone device 100. The telephone device 100 includes a user interface 101 that allows a user to enter information via an input user interface 103 and review the information presented via an output user interface 102. For example, the output user interface 102 includes a speaker 104 that provides audio information to the user and a display 105 that provides visual information to the user. The telephone device 100 is
An antenna 109 may also be included if it has wireless capabilities.

The input user interface 103 can include a microphone 106 for bringing the audio information into electronic form. In addition, the input user interface 103
Is a 12-button dial control 107 that allows the user to enter information through it.
Equipped with. The input user interface 103 assists the user in navigating through the various inputs and options listed on the display 105,
Navigation control buttons 108 may also be included.

Although the user interface 101 has the appearance of a mobile phone, the invisible features of the user interface 101 can enable complex and flexible general purpose processing functions. For example, the telephone device 10
The 0 also includes a processor 111 and a memory 112, which are connected to each other and also to the user interface 101 via a bus 110. Memory 112 generally represents a wide variety of volatile and / or non-volatile memory and may include memory of the type described above. However, the particular type of memory used in telephone device 100 is not critical to the invention.

Although a telephone device is shown in FIG. 1, embodiments of the present invention may be implemented in a personal computer. The personal computer is a telephone device 100.
Any of the components mentioned with respect to can be included. The personal computer may also be associated with an input user interface in the form of a keyboard and / or mouse and an output user interface in the form of a display device. The personal computer can be coupled to the associated network system via wireless technology, wired technology, or a combination thereof.

Program code means, including one or more program modules, can be stored in memory 112. The one or more program modules may include an operating system 113, one or more application programs 114, other program modules 115, and program data 116.

Although FIG. 1 depicts an operating environment suitable for the present invention, the principles of the present invention may be implemented in any device capable of implementing the principles of the invention with appropriate modification if necessary. It can be applied and used. The environment shown in FIG. 1 is merely exemplary and is not intended to represent even a small portion of a wide variety of environments in which the principles of the present invention may be implemented.

In this description and in the claims below,
A "user session" is defined as a continuous communication relationship between two devices, which may involve data exchange between the two devices. This is because resources are continuously allocated to maintain a connection, a persistent connection between two devices, or a connectionless relationship where resources are not continuously allocated to maintain a connection.
Can be included. An example of a connectionless relationship may be a short message service (“SMS”) environment in which messages are sent to mobile devices at intervals.

In this description and in the claims below,
"Mobile user session" is included in 2
At least one of the devices is defined as a user session, which is a device outside the boundaries of a known network. For example, a mobile phone attempting to access a corporate intranet via the public cellular telephone network. Device types associated with mobile user sessions include telephone devices 100, PDAs, pagers, handheld devices,
It may be a mobile computing device, such as a laptop computer or other device typically associated with a mobile computing environment. However, a mobile user session may be initiated from a non-mobile device, such as a standard personal computer, telephone, or other device, if the origin of the user session is outside the boundaries of a logically or physically known network. Sessions can also be included. For example, a public telephone attempting to access e-mail contained on a corporate intranet through the public switched telephone network (“PSTN”). On the other hand, a mobile phone, or similar device, cannot be associated with a mobile user session if the user session originates within a known boundary. For example, a PDA directly linked to a corporate intranet via a wireless network adapter.

The telephone device 100 can operate in a networked environment, as shown in FIG. FIG. 2 shows a computing device including a telephone device 100, a PDA 101, and a payphone 102. Also shown are the lines between these computing devices and the other functional components involved in the networked environment. These lines represent logical communication paths. Logical communication paths, such as logical communication path 130, may include various network types, protocols, communication methods, or combinations thereof. For example, a logical communication path may include a LAN or WAN part.

In this description, reference is made to the computing device shown in FIG. However, the invention is not limited to the illustrated computing devices. After reading this description, it will be apparent to those skilled in the art that a wide variety of computer system configurations, including those described above, can be used to implement the principles of the present invention.

The logical communication path may also include other program modules (not shown) that arrange and format portions of data to access the illustrated computing devices and functional components. A physical communication medium associated with a logical communication path is, for example, a virtual private network in which a computing device or functional component is
If included ("VPN"), it may change during operation. In these embodiments, by using a virtual connection that is not actually a physical entity,
Data packets can be transferred. The data packets are in turn delivered to the correct destination, but these data packets can only be routed through various machines. That is, there is no dedicated physical line for this connection.

The logical communication path may include the portion of the cellular or digital network that the telephone device 100 uses for voice communication. The logical communication path may also include the portion of the telephone network that the public telephone 102 uses for voice communication. The telephone network used by payphone 102 is part of the PSTN and integrated services digital network ("ISD
N ") and Fiber Distributed Data Interface (" FDD
I ”), etc., and may include parts of more modern telephone networks based on digital technology.

Logical communication paths may also include portions of the Internet or other proprietary networks accessible to the computing device and functional components shown in FIG. 2, in general. The logical communication path may include any combination of the aforementioned networks.

The telephone device 100 can communicate with the public network 140 via the logical communication path 130. Logical communication path 130 may be a wireless communication link. The public network 140 may be a cellular or digital network used by telephone devices for voice communications, the Internet, Public Service Telephone Networks, modem telephone networks such as those mentioned above, or generally the computing device of FIG. It can include any other proprietary network that can be accessed, or any combination thereof.

The public network 140 has a logical communication path 133.
Can be connected to the computing device 145 via. To facilitate the operation of the present invention, the computing device 145 is connected to the public network 1
It is shown as separate from 40. However, the present invention is not limited to this embodiment. Those of ordinary skill in the art, after reading this description, will understand that when implementing the principles of the invention,
It will be appreciated that computing device 145 may be included in public network 140 as well as other networks.

The logical security boundary 150 is also shown in FIG. Logical security boundary 150 logically represents the boundary between public network 140 and computing device 145. Such a boundary may exist between the PSTN and the cellular or digital carrier network. It should be appreciated that logical security boundary 150 is merely a logical boundary. For example, embodiments that include a VPN may communicate through any of the computing devices, functional components, or logical communication links of Figure 2, including those that are within public network 140.

The physical representation of logical security boundary 150 may include devices or systems designed to prevent unauthorized access to computing device 145. This physical representation may also include firewalls, packet filters, application gateways, circuit level gateways, proxy servers, other mechanisms used to protect private networks, or any combination thereof. The physical representation of logical security boundary 150 can be implemented in hardware, software, or a combination thereof.

Computing device 145 may be connected to network resource 120 via logical communication path 134. As with the cases described above, embodiments of the present invention are possible where the computing device 145 is included in the network resource 120. It is also possible that a portion of network resources 120 is included in public network 140.

Also shown in FIG. 2 is the logical security boundary 160. Logical security boundary 160 is a logical representation of the boundary between computing device 145 and network resource 120. Such boundaries may exist between cellular or digital carrier networks and corporate networks. It should be appreciated that logical security boundary 160 is merely a logical boundary. For example, in an embodiment that includes a VPN, intrinsically secure communication via any of the computing devices, functional components, or logical communication links of FIG. 2, including those in public network 140 and network resources 120. It can be performed. The physical representation of logical security boundary 160 may include any of the physical representations described with respect to logical security boundary 150.

FIG. 3 shows a flow chart illustrating a method of granting access to network resources. The method of FIG. 3 will be described with reference to the computing devices and functional components included in FIG.

FIG. 3 shows the security module 210 and the access authorization module 220 that perform the operations. The security module 210 and the access permission module 220 are separated by a logical boundary 205. Security module 210 may be similar to security module 146 shown in FIG. The access permission module 220 may be included in the network resource 120.
In one embodiment, security module 210 may be included as part of a digital or cellular carrier network and access authorization module 220 may be included as part of the corporate network. In this embodiment, logical boundary 205 may be similar to logical boundary 160. However, the invention is not limited to the illustrated arrangements of computing devices and functional components. Those of ordinary skill in the art, after reading this description, will use a wide variety of different computing device and functional component arrangements, including those described above, to:
It will be apparent that the principles of the invention may be implemented.

The method of FIG. 3 may include an act of accessing one or more authentication method characteristics associated with a mobile user session (act 201). In one embodiment, operation 201 may be performed by security module 210 included in the digital carrier network. In another embodiment, the computing device 145
Can access the characteristics of the authentication method used by the telephone device 101. These characteristics can be associated with mobile user sessions that have requested access to network resources 120. The characteristics of the authentication method can include the type of authentication method and the type of device associated with the authentication method.

The characteristics of the authentication method that can be accessed in operation 201 include various types of passwords, various types of biometric data, device identification numbers, caller line identification data, and environmental data such as time. Can be included.

The password contains a series of characters that, when received, allow a user session to access network resources. Passwords can be simple or complex and can be entered in a variety of ways. Simple password is
It cannot be constrained by any rule set that defines how passwords can be constructed. on the other hand,
Complex passwords can be associated with such rules. For example, a complex password must be at least a certain number of characters long, must contain both uppercase and lowercase letters, or be of a different type, such as English letters, Arabic numerals, or non-alphanumeric characters. Is required to be included. If the password contains only numbers, such as Arabic numbers, this password can be called a personal identification number ("PIN").

The password can be entered from a keyboard associated with the computing device, in which case pressing the one or more keys on the keyboard will generate the password. Then, pressing the transmit key sends all parts of the password at the same time.

The password is the dial control 107.
Alternatively, the data can be input from a keypad associated with the telephone device, such as a keypad included in the public telephone 102. The use of Dual Tone Multi Frequency (“DTMF”) technology can facilitate the entry of passwords from the keypad. DTMF assigns a dedicated frequency or tone to each key on the touchtone keypad, which allows the microprocessor to easily identify the key. If you enter the password using DTMF, the data will be transmitted each time a key is pressed. DT
Entering numbers with MF tones is sometimes referred to as entering a DTMF PIN.

The password or PIN can also include a verbal phrase. For example, when attempting to access network resource 120 via a mobile user session, the user speaks a phrase into macrophone 106. Such phrases are transmitted to computing device 145 for verification. The verbal phrase may be entered in response to a challenge issued from a module such as security module 146.

In addition to recognizing that the phrase is verbal, depending on the authentication method, voice quality or pitch, etc.
Some have access to the physical characteristics of the word. In some cases, a computer can analyze such physical properties to determine if the spoken phrase has the same physical properties as an existing "voiceprint". The voiceprint identification method is a type of biometric authentication technology. Biometric authentication techniques often rely on measurable physical data that can be automatically inspected. Data associated with biometric authentication technology can be referred to as biometric data. Examples of other biometric authentication technologies include computer analysis of fingerprints and retinal scans. It should be appreciated that these are just examples of biometric authentication techniques. For those skilled in the art, after reading this description,
It will be apparent that the principles of the present invention may be implemented using virtually any technique that facilitates authentication using measurable physical data.

In performing operation 201, unknown, known,
Or you can access the properties of the secure device.
The unknown device may be a device that has never been used to access network resources. For example, if the PDA 101 has never attempted to access the network resource 120, the security module 146 determines that the PDA 101 is an unknown device. Computing device 145 may include a list or database of known devices. If payphone 102 attempts to access network resource 120 and it is not included in the list, payphone 102 may be designated as an unknown device. Conversely, payphone 10
If 2 is included in the list, it can be designated as a known device.

The list or database containing known devices can be organized in various formats. For example, the list may include computer network addresses associated with computing devices. Or burned into a secure mobile phone
physical device identifier, such as in. The list may also include telephone numbers, in which case the device attempting to access the network resource may be identified by the caller identification data. It should be understood that these are merely examples of lists that can facilitate device identification. For those skilled in the art,
After reading this description, it will be apparent that the principles of the invention can be implemented with virtually any list containing data used to facilitate device identification.

A device can be designated as secure if it is associated with some level of reliability. The reliability of the device can be determined based on the location of the device. For example, a phone in a corporate office can be considered secure. On the other hand, payphone 102
Cannot be considered safe because its location is in a public place, even if it is a known device.

A device can be considered secure based on its characteristics in addition to its location. For example, some computing devices have a hard-coded identification number on the component. These identification numbers may be associated with the user session or may be characteristic of the authentication method used by the computing device. Since the identification number is hard-coded, it is believed to have some level of reliability associated with the computing device containing such number. This confidence level is sufficient to consider such a computing device as a secure device.

Other characteristics that may be considered when determining secure devices include operating system version, firmware version, device type, or currently available system resources. It should be understood that these are merely examples of characteristics that may facilitate the determination of device reliability. It will be apparent to those skilled in the art, after reading this description, determining that a device is a safe device can be accomplished by taking into account virtually any physical property associated with the device.

The characteristics that are accessed can also include the device type of the particular configuration. For example, computing device 145 may be able to detect that the device attempting authentication is a phone, computer, mobile phone, or the like. A combination of device types may occur. For example, the device may be designated as a secure PDA, a known payphone, or an unknown mobile phone.

Other characteristics of the authentication method can also be accessed. Environmental information, such as whether the mobile phone is in a roaming configuration. Temporal information may also be accessed, such as the time of day, the day of the week, or the last time the user associated with the user session accessed the network resource. For example, if a user attempts to access network resources from a known device that has recently passed a rigorous authentication process, granting access to additional resources requires little if any additional authentication. . However, unknown devices may require significant additional authentication in order to be granted access to the same resources.

If the device has multiple communication channels, it can access the communication channels associated with authentication. For example, a mobile phone or PDA carrying a PIN over an out-of-band communication channel.

The method may also include an act of combining the accessed characteristics to generate an authentication bundle that represents the degree of access to the network resource (act 202). The act of combining properties can also be referred to as the act of combining the accessed properties to form a new, more complex authentication bundle. The authentication bundle can include data that represents the degree of access that can be granted to the requesting user session. For example, the password and / or biometric data accessed and / or the characteristics of the device may be aggregated to generate an authentication bundle. Different authentication bundles can be created by combining various characteristics.

In one embodiment, the security module
146 can accumulate the accessed characteristics to facilitate the generation of an authentication bundle. This can be done when the security module 146 is generating an authentication bundle for a user session associated with the telephony device 100. The accessed property is the security module 14
May not arrive at 6 at the same time. For example, security module 146 may access characteristics of a device type associated with telephone device 100 before accessing characteristics of a voiceprint associated with telephone device 100.

Other characteristics, such as the amount of available memory associated with a user session, such as memory, disk space, bandwidth available to the user session, can be aggregated when generating an authentication bundle. In some configurations, the devices associated with the user session may not be well suited to access network resources. The device may not have sufficient memory or disk resources. The device may have a roaming configuration that interferes with reliable communication. Alternatively, the data transmission rate may be lower than a predetermined threshold. It should be understood that these are merely examples of properties that can be combined. Those skilled in the art, after reading this description, understand that the principles of the present invention are
It will be apparent that practically any physical property associated with the device can be used.

By combining the accessed characteristics in various combinations, it is possible to create a sliding scale that allocates access to network resources based on the reliability of the device and the authentication method. For example, a user session authenticated using a DTMF PIN from a secure mobile phone may be given more access to network resources 120 than a public phone 102 authenticating a user session using a DTMF PIN. .

The method of FIG. 3 can include an act of accessing an authentication bundle created by combining the characteristics of one or more authentication methods (act 203). As shown in FIG. 3, this includes performing the included operations from the security module 210 to the access permission module 220.
It also includes transferring to. This illustrates an embodiment where a digital or cellular carrier passes the authentication bundle to the corporate network. In this embodiment, the logical boundary 205 may perform security operations on the data passed between the security module 210 and the access grant module 220.

This is only an example of how the authentication bundle can be accessed. Security module 210 and access authorization module 220 can be included in the same network or device, such as computing device 145. After reading this description, it will be apparent to those skilled in the art that the principles of the present invention can be implemented if the module accesses the authentication bundle from virtually any location.

The method of FIG. 3 can include an act of allowing access to network resources (act 204), where the degree of access can be different depending on the characteristic. The access grant module 220 may be included in the security module 146 and may grant user session access to network resources represented in the authentication bundle. In one embodiment, receiving the authentication bundle may generate an authentication token associated with the level of access to the network resource. The authentication token may include data representing the authentication method that the user session is using.

In one embodiment, a user session may be granted less than the maximum level of access associated with the user. For example, a user authenticated from a connection included in the secure part of a corporate intranet can be associated with a certain level of access to network resources. However, if this user were authenticated by the mobile phone, he would not be given the same level of access to network resources. This is due to the loss of credibility due to the use of mobile phones or the lack of secure authentication methods associated with those mobile phones. For example, the mobile phone is probably safe, but voiceprint testing is not supported.

In one embodiment, a module associated with logical security boundary 150 or logical security boundary 160, such as a firewall or other security mechanism described above, may facilitate granting access to network resources. A filter or reverse proxy can be used to allow a user session less than the maximum level of access associated with the user. In these embodiments, the authentication bundle or token may be passed to a filter or reverse proxy to facilitate granting this reduced access to the user session.

In one embodiment, access to network resources may be modified dynamically. During the user session, authentication methods may be available or unavailable for the user session. This may be due to environmental factors, device configuration, or the physical state of the user. For example, if a mobile phone first authenticated by a DTMF PIN then attempts to access sensitive corporate data by a user session, a complex voice chasing response (complex voice chamfer) is sent.
may be encouraged. Conversely, a user session initially authenticated using a voiceprint may be denied access to network resources if the state of the voice connection deteriorates during the session. In such a case, the new authorization bundle can be aggregated from the accessed characteristics that were present at the particular time.

By allowing access to network resources based on authenticity of the authentication method and device, a sliding scale of access can be utilized. When user sessions log in from different locations using different authentication methods, they are granted different access to network resources. As a result, the use of a single user account can facilitate one user at any location to reasonably access network resources. In addition, access can be adjusted dynamically, so
The likelihood that a user will always have a reasonable level of access to network resources increases.

The present invention can be embodied in other specific forms without departing from its spirit or basic characteristics. The embodiments described above are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes that come within the meaning and range of equivalency of the claims are to be embraced within their scope.

[0073]

According to the present invention, a system, method for granting and dynamically modifying access to network resources, which allows the access to correspond to the authenticity of the authentication method and device associated with the user session, And computer program products are provided.

[Brief description of drawings]

FIG. 1 illustrates an exemplary mobile computing device that provides an operating environment suitable for the present invention.

FIG. 2 illustrates an exemplary network environment that provides an operating environment suitable for the present invention.

FIG. 3 is a flow diagram illustrating an example of a method of authorizing access to network resources.

[Explanation of symbols]

100 telephone equipment 101 User Interface 102 Output user interface 103 Input user interface 104 speaker 105 display 106 microphone 107 dial control 108 Navigation control buttons 109 antenna 110 bus 111 processor 112 memory 113 operating system 114 Application Program 115 Program Module 116 Program data 120 network resources 130 logical communication link 133 Logical communication path 134 Logical communication path 140 public network 141 Personal Digital Assistant 142 Payphone 143 Personal computer 144 laptop 145 Computing Equipment 146 Security Module 150 Logical security boundary 160 Logical security boundary 205 logical boundaries 210 security module 220 Access permission module

Continued front page    (72) Inventor Shaun Dominick Loveland             United States 98074 Washington             Samamish North East 4 Str             REIT 21250 F-term (reference) 5B085 AE23 BC02 BG02 BG07                 5K024 AA61 DD01 EE01 EE09 GG01                       GG05 GG08 HH00                 5K067 AA32 AA33 DD23 EE02 EE10                       HH22 HH23 HH24                 5K101 KK15 KK16 KK17 KK20 LL01                       LL02 LL12 MM07 NN02 NN07                       PP03 PP04 TT06 UU03

Claims (43)

[Claims] 1. A computing device comprising a security module capable of granting a user session access to network resources, depending on one or more authentication methods and security of one or more devices associated with a mobile user session. A method of permitting access to network resources to the mobile user session by permitting access corresponding to the reliability of the associated authentication method and device, the method being associated with the mobile user session. Accessing characteristics of one or more authentication methods, and combining said accessed characteristics to generate an authentication bundle representing access to network resources, said authentication bundle using it. Network Method characterized by comprising the steps in which it is possible to allow access to the work resource to the mobile user session. 2. The method of claim 1, wherein accessing a characteristic of one or more authentication methods associated with the mobile user session comprises the steps of one or more authentication methods representative of the mobile user session. A method comprising the step of accessing a property. 3. The method of claim 1, wherein accessing a characteristic of one or more authentication methods associated with the mobile user session comprises: a characteristic of a device associated with the one or more authentication methods. A method comprising the step of accessing. 4. The method of claim 3, wherein accessing device characteristics associated with one or more authentication methods comprises accessing phone characteristics associated with one or more authentication methods. A method comprising :. 5. The method of claim 3, wherein accessing a characteristic of a device associated with one or more authentication methods comprises accessing a characteristic of an unknown device associated with one or more authentication methods. A method comprising the steps of: 6. The method of claim 3, wherein the step of accessing a characteristic representative of a device associated with one or more authentication methods comprises: a characteristic of a known device associated with the one or more authentication methods. A method comprising the step of accessing. 7. The method of claim 6, wherein accessing a known device characteristic associated with one or more authentication methods comprises: accessing caller line identification data associated with the device. A method comprising providing. 8. The method of claim 3, wherein accessing a characteristic of a device associated with one or more authentication methods comprises accessing a characteristic of a secure device associated with one or more authentication methods. A method comprising the steps of: 9. The method of claim 3, wherein accessing a characteristic of a device associated with one or more authentication methods comprises accessing a characteristic of a computing device associated with the one or more authentication methods. A method comprising the steps of: 10. The method of claim 9, wherein the step of accessing a characteristic of a computing device associated with one or more authentication methods comprises: a characteristic of a personal computer associated with the one or more authentication methods. A method comprising the step of accessing. 11. The method of claim 9, wherein accessing a characteristic of a computing device associated with one or more authentication methods comprises: a mobile computing device associated with the one or more authentication methods. A method comprising the step of accessing a property. 12. The method according to claim 11, wherein:
The method of accessing a characteristic of a mobile computing device associated with one or more authentication methods comprises the step of accessing a characteristic of a mobile telephone associated with one or more authentication methods. 13. The method of claim 11, wherein:
The method of accessing a characteristic of a mobile computing device associated with one or more authentication methods comprises the step of accessing a characteristic of a personal digital assistant associated with one or more authentication methods. 14. The method of claim 11, wherein:
The method of accessing a characteristic of a mobile computing device associated with one or more authentication methods comprises the step of accessing a characteristic of a handheld computer associated with one or more authentication methods. 15. The method of claim 1, wherein accessing a property of one or more authentication methods associated with the mobile user session comprises the property of a password associated with the one or more authentication methods. A method comprising the step of accessing. 16. The method of claim 15, wherein:
Accessing a property of a password associated with one or more authentication methods comprises accessing a property of a personal identification number, including dual-tone multi-frequency tone, associated with one or more authentication methods. how to. 17. The method of claim 15, wherein:
The method of accessing a characteristic of a password associated with one or more authentication methods comprises the step of accessing a characteristic of a personal identification number that includes a verbal phrase associated with one or more authentication methods. 18. The method of claim 15, wherein:
Accessing a characteristic of a password associated with one or more authentication methods is accessing a characteristic of a password transmitted out-of-band from the mobile computing device, the password being associated with one or more authentication methods. A method comprising the steps of: 19. The method of claim 1, wherein accessing the characteristics of one or more authentication methods associated with the mobile user session comprises the step of: of biometric data associated with the one or more authentication methods. A method comprising the step of accessing a property. 20. The method of claim 19, wherein:
The method of accessing a characteristic of biometric data associated with one or more authentication methods comprises the step of accessing a characteristic of a voiceprint associated with one or more authentication methods. 21. The method of claim 19, wherein:
The method of accessing a characteristic of biometric data associated with one or more authentication methods comprises the step of accessing a characteristic of a fingerprint associated with one or more authentication methods. 22. The method of claim 19, wherein
The method of accessing a characteristic of biometric data associated with one or more authentication methods comprises: accessing a characteristic of a retinal scan associated with one or more authentication methods. 23. The method of claim 1, wherein the step of generating an authentication bundle representative of access to network resources by synthesizing the accessed characteristics comprises: an accessed characteristic associated with a device; A method comprising: generating an authentication bundle representing access to network resources by synthesizing an accessed characteristic associated with a password. 24. The method of claim 1, wherein the step of generating an authentication bundle representative of access to network resources by synthesizing the accessed characteristics comprises: an accessed characteristic associated with a device; A method comprising: combining an accessed characteristic associated with biometric data to generate an authentication bundle representing access to a network resource. 25. The method of claim 1, wherein the step of generating an authentication bundle representing access to network resources by synthesizing the accessed characteristics includes the accessed characteristics associated with a password, and A method comprising: combining an accessed characteristic associated with biometric data to generate an authentication bundle representing access to a network resource. 26. The method of claim 1, wherein the step of generating an authentication bundle representative of access to network resources by synthesizing the accessed characteristics comprises: an accessed characteristic associated with a device; A method comprising: combining an accessed characteristic associated with a password and an accessed characteristic associated with biometric data to generate an authentication bundle representing access to a network resource. 27. The method of claim 1, wherein the step of generating an authentication bundle representing access to network resources by synthesizing the accessed characteristics comprises: executing one or more authentication methods. A method comprising: generating an authentication bundle representing access to a network resource by summing time-related characteristics. 28. A computing device comprising an access authorization module capable of authorizing a user session to access network resources, wherein the mobile user session includes one or more authentication methods and one associated with the mobile user session. A method for permitting access to a network resource according to the security of a device as described above, thereby permitting access corresponding to the related authentication method and the reliability of the device, the method accessing an authentication bundle. The authentication bundle is generated by synthesizing the characteristics of one or more authentication methods associated with the mobile user session, and allowing access to network resources. Access How the degree of is characterized in that it comprises the steps can be different by said characteristics. 29. The method of claim 28, wherein accessing an authentication bundle comprises the access authorization module accessing an authentication bundle. 30. The method of claim 28, wherein accessing the authentication bundle comprises accessing the authentication bundle such that the mobile user session is represented by the authentication bundle. A method comprising the step of being allowed access to a resource. 31. The method of claim 28, wherein accessing the authentication bundle comprises accessing the authentication bundle such that the authentication token associated with the level of access to the network resource. A method comprising the steps of: being generated. 32. The method of claim 28, wherein accessing an authentication bundle comprises accessing an authentication bundle, whereby the one or more authentication methods associated with the mobile user session. A method comprising the step of generating an authentication token including data representing a. 33. The method of claim 28, wherein allowing access to network resources comprises allowing a mobile user session access less than a maximum level access associated with the user. How to characterize. 34. The method of claim 33, wherein granting the mobile user session less than the maximum level access associated with the user is the step of receiving an authentication bundle, thereby providing a filter. Reducing the access to network resources of the mobile user session to less than the maximum level of access associated with the user. 35. The method of claim 33, wherein granting the mobile user session less than the maximum level access associated with the user is the step of receiving an authentication bundle, thereby reversing. A method comprising the step of: the proxy reducing access to network resources of a mobile user session to less than maximum level access associated with a user. 36. The method of claim 28, wherein allowing access to network resources is modifying existing access to network resources for a mobile user session, the modified access being The method comprises different steps from existing access. 37. The method of claim 36, wherein modifying the existing access to network resources of a mobile user session, wherein the modified access is different from the existing access. A method comprising modifying an existing access of a user session to a network resource by adding to the existing access to allow access to the network resource. 38. The method of claim 36, modifying existing access to network resources of a mobile user session, wherein the modified updated access is different from the existing access. The method comprises modifying existing access to network resources of a mobile user session by revoking some of the existing access to network resources. 39. The method of claim 28, further comprising the step of notifying a user associated with the mobile user session which network resources the mobile user session can access. how to. 40. In a computing device that includes a security module that can allow a user session to access network resources, wherein the mobile user session is dependent on one or more authentication methods and one or more device security. What is claimed is: 1. A computer program product that realizes a related authentication method and a method of allowing access corresponding to the reliability of a device by allowing access to network resources, the computer program product executing on the computing device. And a computer readable medium having computer-executable instructions for causing the computing device to perform the method of granting access, the method of granting access being the mobile. Computer program, comprising: accessing one or more characteristics of an authentication method associated with a user session; and summing the accessed characteristics to generate an authentication bundle representing access to network resources. product. 41. The computer program product of claim 40, wherein the computer readable medium is a physical storage medium. 42. A computing device comprising a security module capable of granting a user session access to network resources, wherein the mobile user session is dependent on one or more authentication methods and one or more device security. What is claimed is: 1. A computer program product that realizes a method of authorizing access according to a related authentication method and device reliability by permitting access to a network resource, the computer program product executing on the computing device. A computer readable medium having computer-executable instructions for causing the computing device to perform the method of granting access, wherein the method of granting access is an authentication bundle. Accessing, wherein the authentication bundle is generated by aggregating characteristics of one or more authentication methods associated with the mobile user session; and allowing access to network resources. A computer program product, the degree of access of which may vary depending on the characteristic. 43. The computer program product of claim 42, wherein the computer readable medium is a physical storage medium.